This article covers some crucial technical concepts associated with VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and partners using the web and secures encrypted tunnels between locations. An Access VPN can be used to connect remote consumers to the enterprise network. The remote workstation or laptop will make use of an access circuit including Cable, DSL or Wireless to connect to a local Internet Service Provider (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the ISP using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user must authenticate as a permitted VPN user with the ISP. Once which is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee which is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host based on where there network account is located. The ISP initiated model is less secure compared to client-initiated model because the encrypted tunnel is made from the Internet service provider to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is made with L2TP or L2F.
The Extranet VPN will connect business partners to your company network by building a secure VPN connection through the business partner router towards the company VPN router or concentrator. The precise tunneling protocol utilized is dependent upon whether it is a router connection or perhaps a remote dialup connection. The choices to get a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a safe and secure connection utilizing the same process with IPSec or GRE as the tunneling protocols. You should note that exactly what makes VPN’s very cost effective and efficient is that they leverage the present Internet for transporting company traffic. This is why a lot of companies are selecting IPSec since the security protocol preferred by guaranteeing that details are secure as it travels between routers or laptop and router. IPSec includes 3DES encryption, IKE key exchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality.
Internet Process Security (IPSec) – IPSec operation may be worth noting because it such a common security process used nowadays with Virtual Personal Networking. IPSec is specified with RFC 2401 and created as an open up regular for secure carry of IP throughout the public Internet. The packet framework includes an IP header/IPSec header/Encapsulating Protection Payload. IPSec provides encryption solutions with 3DES and authorization with MD5. In addition there is Web Key Trade (IKE) and ISAKMP, which automate the syndication of key keys between IPSec peer devices (concentrators and routers). These protocols are needed for discussing one-way or two-way security organizations. IPSec protection organizations are comprised of an file encryption algorithm (3DES), hash algorithm criteria (MD5) and an authorization method (MD5). Access VPN implementations make use of 3 security associations (SA) per connection (transfer, get and IKE). A business network with lots of IPSec peer devices will utilize a Certification Power for scalability with all the authentication process as opposed to IKE/pre-shared keys.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and inexpensive Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The main problem is that company data should be protected because it travels throughout the Internet through the telecommuter laptop to the company core office. Your client-initiated model will be utilized which builds an IPSec tunnel from each client laptop, which can be terminated at a VPN concentrator. Each laptop is going to be configured with VPN client software, that can run with Windows. The telecommuter must first dial a neighborhood access number and authenticate using the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once that is finished, the remote user will authenticate and authorize with Windows, Solaris or a Mainframe server before starting any applications. There are dual VPN concentrators which will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of those be unavailable.
Each concentrator is connected in between the external router as well as the firewall. A whole new feature with all the VPN concentrators prevent denial of service (DOS) attacks from outside hackers that could affect network availability. The firewalls are configured to permit source and destination IP addresses, which are allotted to each telecommuter from the pre-defined range. As well, any application and protocol ports will be permitted through the firewall that is required.
Extranet VPN Design – The Extranet VPN was created to allow secure connectivity from each business partner office towards the company core office. Security is definitely the primary focus considering that the Internet is going to be useful for transporting all data traffic from each business partner. You will have a circuit connection from each business partner which will terminate in a VPN router in the company core office. Each business partner along with its peer VPN router on the core office will employ a router with a VPN module. That module provides IPSec and high-speed hardware encryption of packets before these are transported across the Internet. Peer VPN routers on the company core office are dual homed to various multilayer switches for link diversity should one of many links be unavailable. It is important that traffic in one business partner doesn’t find yourself at another business partner office. The switches can be found between internal and external firewalls and utilized for connecting public servers as well as the external DNS server. That isn’t a security alarm issue since the external firewall is filtering public Internet traffic.
Additionally filtering can be implemented at every network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections on the company core office multilayer switches. Separate VLAN’s is going to be assigned at every network switch for every business partner to boost security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they require. Business partner sessions will need to authenticate with a RADIUS server. Once which is finished, they will authenticate at Windows, Solaris or Mainframe hosts before starting any applications.